diff --git a/kubernetes/helm-opensearch-dashboards.yaml b/kubernetes/helm-opensearch-dashboards.yaml new file mode 100644 index 0000000000..0f799fa7df --- /dev/null +++ b/kubernetes/helm-opensearch-dashboards.yaml @@ -0,0 +1,254 @@ +# Copyright OpenSearch Contributors +# SPDX-License-Identifier: Apache-2.0 + +# Default values for opensearch-dashboards. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +opensearchHosts: "https://opensearch-cluster-leader:9200" +replicaCount: 2 + +image: + repository: "public.ecr.aws/y0r0d3v8/actionrunner" + # override image tag, which is .Chart.AppVersion by default + tag: "2.18.0-11848445202" + pullPolicy: "Always" + +startupProbe: + tcpSocket: + port: 5601 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 20 + successThreshold: 1 + initialDelaySeconds: 10 + +livenessProbe: + tcpSocket: + port: 5601 + periodSeconds: 20 + timeoutSeconds: 5 + failureThreshold: 10 + successThreshold: 1 + initialDelaySeconds: 10 + +readinessProbe: + tcpSocket: + port: 5601 + periodSeconds: 20 + timeoutSeconds: 5 + failureThreshold: 10 + successThreshold: 1 + initialDelaySeconds: 10 + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +rbac: + create: true + +# A list of secrets and their paths to mount inside the pod +# This is useful for mounting certificates for security and for mounting +# the X-Pack license +secretMounts: [] + +podAnnotations: {} + +extraEnvs: [] + +envFrom: [] + +extraVolumes: [] + +extraVolumeMounts: [] + +extraInitContainers: "" + +extraContainers: "" + +podSecurityContext: {} + +securityContext: + capabilities: + drop: + - ALL + # readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + +config: + # Default OpenSearch Dashboards configuration from docker image of Dashboards + opensearch_dashboards.yml: + opensearch.hosts: [https://localhost:9200] + opensearch.ssl.verificationMode: none + vis_type_vega.enableExternalUrls: true + opensearch.ignoreVersionMismatch: true + opensearch.username: kibanaserver + opensearch.password: ${KIBANA_SERVER_PASSWORD} + opensearch.requestHeadersWhitelist: [authorization, securitytenant] + opensearch_security.auth.anonymous_auth_enabled: true + opensearch_security.multitenancy.enabled: false + opensearch_security.multitenancy.tenants.enable_global: true + opensearch_security.multitenancy.tenants.enable_private: true + opensearch_security.multitenancy.tenants.preferred: [Global, Private] + opensearch_security.readonly_mode.roles: [kibana_read_only] + # Use this setting if you are running opensearch-dashboards without https + opensearch_security.cookie.secure: false + server.host: '0.0.0.0' + # Use the consolidated menu and global header bar + opensearchDashboards.branding.useExpandedHeader: false + # Enable multiple datasource + data_source.enabled: true + data_source.endpointDeniedIPs: [ + '127.0.0.0/8', + '::1/128', + '169.254.0.0/16', + 'fe80::/10', + '10.0.0.0/8', + '172.16.0.0/12', + '192.168.0.0/16', + 'fc00::/7', + '0.0.0.0/8', + '100.64.0.0/10', + '192.0.0.0/24', + '192.0.2.0/24', + '198.18.0.0/15', + '192.88.99.0/24', + '198.51.100.0/24', + '203.0.113.0/24', + '224.0.0.0/4', + '240.0.0.0/4', + '255.255.255.255/32', + '::/128', + '2001:db8::/32', + 'ff00::/8', + ] + # Enable ml_commons_dashboards + # ml_commons_dashboards.enabled: true + # Content security policy(csp) settings + csp.rules: [ "connect-src 'self' www.google-analytics.com vectors.maps.opensearch.org tiles.maps.opensearch.org maps.opensearch.org;" ] + csp.warnLegacyBrowsers: false + google_analytics_plugin.trackingID: ${GA_TRACKING_ID} + + # security plugin for openid + opensearch_security.auth.type: ['Basicauth','openid'] + opensearch_security.auth.multiple_auth_enabled: true + opensearch_security.ui.openid.login.buttonname: "Log in with Google account" + opensearch_security.ui.openid.login.brandimage: "https://opensearch.org/assets/brand/PNG/Mark/opensearch_mark_default.png" + opensearch_security.ui.openid.login.showbrandimage: true + opensearch_security.openid.base_redirect_url: "https://observability.playground.opensearch.org" + opensearch_security.openid.scope: 'openid profile email' + opensearch_security.openid.verify_hostnames: false + opensearch_security.openid.refresh_tokens: false + + opensearch_security.openid.connect_url: "https://accounts.google.com/.well-known/openid-configuration" + opensearch_security.openid.client_id: {OPENID_CLIENT_ID} + opensearch_security.openid.client_secret: {OPENID_CLIENT_SECRET} + opensearch_security.openid.logout_url: "https://observability.playground.opensearch.org" + # workspace + workspace.enabled: true + savedObjects.permission.enabled: true + opensearchDashboards.dashboardAdmin.users: ["admin", "test1"] + assistant.chat.enabled: false + + queryEnhancements.queryAssist.summary.enabled: true + assistant.smartAnomalyDetector.enabled: true + assistant.alertInsight.enabled: true + assistant.text2viz.enabled: true + assistant.enabled: true + + data_source.ssl.verificationMode: none + + # uiSettings: + # overrides: + # "theme:next": true + # "theme:darkMode": true + + uiSettings: + overrides: + "query:enhancements:enabled": true + "query:dataSource:readOnly": false + "query:dataSourceReadOnly": false + "home:useNewHomePage": true + +priorityClassName: "" + +opensearchAccount: + secret: "" + keyPassphrase: + enabled: false + +labels: {} + +hostAliases: [] + +serverHost: "0.0.0.0" + +service: + type: ClusterIP + port: 5601 + loadBalancerIP: "" + nodePort: "" + labels: {} + annotations: {} + loadBalancerSourceRanges: [] + # 0.0.0.0/0 + httpPortName: http + +ingress: + enabled: false + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + annotations: {} + hosts: + - host: chart-example.local + paths: + - path: / + backend: + serviceName: chart-example.local + servicePort: 80 + tls: [] + +resources: + requests: + cpu: "1" + memory: "8G" + limits: + cpu: "3" + memory: "24G" + +autoscaling: + # This requires metrics server to be installed, to install use kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml + # See https://github.com/kubernetes-sigs/metrics-server + enabled: false + minReplicas: 2 + maxReplicas: 10 + targetCPUUtilizationPercentage: 80 + +updateStrategy: + type: "Recreate" + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Array of extra K8s manifests to deploy +extraObjects: [] + +# specify the external plugins to install +plugins: + enabled: true + installList: ["https://github.com/BionIT/google-analytics-plugin/releases/download/2.18.0/googleAnalytics-2.18.0.zip"] \ No newline at end of file diff --git a/kubernetes/helm-opensearch.yaml b/kubernetes/helm-opensearch.yaml new file mode 100644 index 0000000000..8ebabd0145 --- /dev/null +++ b/kubernetes/helm-opensearch.yaml @@ -0,0 +1,1166 @@ +--- +clusterName: "opensearch-cluster" +nodeGroup: "leader" + +# The service that non master groups will try to connect to when joining the cluster +# This should be set to clusterName + "-" + nodeGroup for your master group +masterService: "opensearch-cluster-leader" + +# OpenSearch roles that will be applied to this nodeGroup +# These will be set as environment variable "node.roles". E.g. node.roles=master,ingest,data,remote_cluster_client +roles: + - master + - ingest + - data + - remote_cluster_client + +replicas: 3 + +# if not set, falls back to parsing .Values.imageTag, then .Chart.appVersion. +majorVersion: "" + +#global: + # Set if you want to change the default docker registry, e.g. a private one. + # dockerRegistry: "" + +# Allows you to add any config files in {{ .Values.opensearchHome }}/config +opensearchHome: /usr/share/opensearch +# such as opensearch.yml +config: + esnode.pem: |- + ${ESNODE_CERT} + esnode-key.pem: |- + ${ESNODE_KEY_CERT} + root-ca.pem: |- + ${ROOT_CA_CERT} + + opensearch.yml: | + cluster.name: opensearch-cluster + plugins.query.datasources.encryption.masterkey: 305a26066bd916abfaa45fbc + # Bind to all interfaces because we don't know what IP address Docker will assign to us. + network.host: 0.0.0.0 + # # minimum_master_nodes need to be explicitly set when bound on a public IP + # # set to 1 to allow single node clusters + # discovery.zen.minimum_master_nodes: 1 + # Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again. + # discovery.type: single-node + plugins: + security: + ssl: + transport: + pemcert_filepath: esnode.pem + pemkey_filepath: esnode-key.pem + pemtrustedcas_filepath: root-ca.pem + enforce_hostname_verification: false + http: + enabled: true + pemcert_filepath: esnode.pem + pemkey_filepath: esnode-key.pem + pemtrustedcas_filepath: root-ca.pem + allow_unsafe_democertificates: false + allow_default_init_securityindex: true + authcz: + admin_dn: + - CN=kirk,OU=client,O=client,L=test,C=de + audit.type: internal_opensearch + enable_snapshot_restore_privilege: true + check_snapshot_restore_write_privileges: true + restapi: + roles_enabled: ["all_access", "security_rest_api_access"] + system_indices: + enabled: true + indices: + [ + ".plugins-ml-config", + ".plugins-ml-connector", + ".plugins-ml-model-group", + ".plugins-ml-model", + ".plugins-ml-task", + ".opendistro-alerting-config", + ".opendistro-alerting-alert*", + ".opendistro-anomaly-results*", + ".opendistro-anomaly-detector*", + ".opendistro-anomaly-checkpoints", + ".opendistro-anomaly-detection-state", + ".opendistro-reports-*", + ".opensearch-notifications-*", + ".opensearch-notebooks", + ".opensearch-observability", + ".ql-datasources", + ".opendistro-asynchronous-search-response*", + ".replication-metadata-store", + ".opensearch-knn-models", + ] + +# Extra environment variables to append to this nodeGroup. +# This will be appended to the current 'env:' key. You can use any of the kubernetes env +# syntax here +extraEnvs: +# - name: MY_ENVIRONMENT_VAR +# value: the_value_goes_here + - name: DISABLE_INSTALL_DEMO_CONFIG + value: "true" + +# Allows you to load environment variables from kubernextes secret or config map +envFrom: [] + +# A list of secrets and their paths to mount inside the pod +# This is useful for mounting certificates for security and for mounting +# the X-Pack license +secretMounts: [] + +hostAliases: [] + +image: + repository: "opensearchstaging/opensearch" + # override image tag, which is .Chart.AppVersion by default + tag: "2.18.0" + pullPolicy: "Always" + +podAnnotations: {} + +# additionals labels +labels: {} + +opensearchJavaOpts: "-Xmx2G -Xms2G" + +resources: + requests: + cpu: "2" + memory: "8Gi" + +autoscaling: + # This requires metrics server to be installed, to install use kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml + # See https://github.com/kubernetes-sigs/metrics-server + enabled: true + minReplicas: 3 + maxReplicas: 10 + targetCPUUtilizationPercentage: 80 + +networkHost: "0.0.0.0" + +rbac: + create: false + serviceAccountAnnotations: {} + serviceAccountName: "" + +podSecurityPolicy: + create: false + name: "" + spec: + privileged: true + fsGroup: + rule: RunAsAny + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - secret + - configMap + - persistentVolumeClaim + - emptyDir + +persistence: + enabled: true + # Set to false to disable the `fsgroup-volume` initContainer that will update permissions on the persistent disk. + enableInitChown: false + # override image, which is busybox by default + # image: busybox + # override image tag, which is latest by default + # imageTag: + labels: + # Add default labels for the volumeClaimTemplate of the StatefulSet + enabled: false + # OpenSearch Persistent Volume Storage Class + # If defined, storageClassName: + # If set to "-", storageClassName: "", which disables dynamic provisioning + # If undefined (the default) or set to null, no storageClassName spec is + # set, choosing the default provisioner. (gp2 on AWS, standard on + # GKE, AWS & OpenStack) + + accessModes: + - ReadWriteOnce + size: 500Gi + annotations: {} + +protocol: http +httpPort: 9200 +transportPort: 9300 + +service: + type: ClusterIP + httpPortName: http + transportPortName: transport + +updateStrategy: RollingUpdate + +# This is the max unavailable setting for the pod disruption budget +# The default value of 1 will make sure that kubernetes won't allow more than 1 +# of your pods to be unavailable during maintenance. +maxUnavailable: 1 + +podSecurityContext: + fsGroup: 1000 + runAsUser: 1000 + +securityContext: + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1000 + +securityConfig: + enabled: true + path: "/usr/share/opensearch/config/opensearch-security" + actionGroupsSecret: + configSecret: + internalUsersSecret: + rolesSecret: + rolesMappingSecret: + tenantsSecret: + # The following option simplifies securityConfig by using a single secret and + # specifying the config files as keys in the secret instead of creating + # different secrets for for each config file. + # Note that this is an alternative to the individual secret configuration + # above and shouldn't be used if the above secrets are used. + config: + # There are multiple ways to define the configuration here: + # * If you define anything under data, the chart will automatically create + # a secret and mount it. + # * If you define securityConfigSecret, the chart will assume this secret is + # created externally and mount it. + # * It is an error to define both data and securityConfigSecret. + # securityConfigSecret: "" + data: + config.yml: | + _meta: + type: "config" + config_version: 2 + + config: + dynamic: + # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index + # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default) + # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently + #filtered_alias_mode: warn + #do_not_fail_on_forbidden: false + kibana: + # Kibana multitenancy + multitenancy_enabled: true + server_username: kibanaserver + index: '.kibana' + http: + anonymous_auth_enabled: true + xff: + enabled: false + internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern + #internalProxies: '.*' # trust all internal proxies, regex pattern + #remoteIpHeader: 'x-forwarded-for' + ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help + ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For + ###### and here https://tools.ietf.org/html/rfc7239 + ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve + authc: + kerberos_auth_domain: + http_enabled: false + transport_enabled: false + order: 6 + http_authenticator: + type: kerberos + challenge: true + config: + # If true a lot of kerberos/security related debugging output will be logged to standard out + krb_debug: false + # If true then the realm will be stripped from the user name + strip_realm_from_principal: true + authentication_backend: + type: noop + openid_auth_domain: + http_enabled: true + transport_enabled: true + order: 1 + http_authenticator: + type: openid + challenge: false + config: + subject_key: email + roles_key: email + openid_connect_url: https://accounts.google.com/.well-known/openid-configuration + authentication_backend: + type: noop + basic_internal_auth_domain: + description: "Authenticate via HTTP Basic against internal users database" + http_enabled: true + transport_enabled: true + order: 4 + http_authenticator: + type: basic + challenge: true + authentication_backend: + type: intern + proxy_auth_domain: + description: "Authenticate via proxy" + http_enabled: false + transport_enabled: false + order: 3 + http_authenticator: + type: proxy + challenge: false + config: + user_header: "x-proxy-user" + roles_header: "x-proxy-roles" + authentication_backend: + type: noop + jwt_auth_domain: + description: "Authenticate via Json Web Token" + http_enabled: false + transport_enabled: false + order: 0 + http_authenticator: + type: jwt + challenge: false + config: + signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key" + jwt_header: "Authorization" + jwt_url_parameter: null + roles_key: null + subject_key: null + authentication_backend: + type: noop + clientcert_auth_domain: + description: "Authenticate via SSL client certificates" + http_enabled: false + transport_enabled: false + order: 2 + http_authenticator: + type: clientcert + config: + username_attribute: cn #optional, if omitted DN becomes username + challenge: false + authentication_backend: + type: noop + ldap: + description: "Authenticate via LDAP or Active Directory" + http_enabled: false + transport_enabled: false + order: 5 + http_authenticator: + type: basic + challenge: false + authentication_backend: + # LDAP authentication backend (authenticate users against a LDAP or Active Directory) + type: ldap + config: + # enable ldaps + enable_ssl: false + # enable start tls, enable_ssl should be false + enable_start_tls: false + # send client certificate + enable_ssl_client_auth: false + # verify ldap hostname + verify_hostnames: true + hosts: + - localhost:8389 + bind_dn: null + password: null + userbase: 'ou=people,dc=example,dc=com' + # Filter to search for users (currently in the whole subtree beneath userbase) + # {0} is substituted with the username + usersearch: '(sAMAccountName={0})' + # Use this attribute from the user as username (if not set then DN is used) + username_attribute: null + authz: + roles_from_myldap: + description: "Authorize via LDAP or Active Directory" + http_enabled: false + transport_enabled: false + authorization_backend: + # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too) + type: ldap + config: + # enable ldaps + enable_ssl: false + # enable start tls, enable_ssl should be false + enable_start_tls: false + # send client certificate + enable_ssl_client_auth: false + # verify ldap hostname + verify_hostnames: true + hosts: + - localhost:8389 + bind_dn: null + password: null + rolebase: 'ou=groups,dc=example,dc=com' + # Filter to search for roles (currently in the whole subtree beneath rolebase) + # {0} is substituted with the DN of the user + # {1} is substituted with the username + # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute + rolesearch: '(member={0})' + # Specify the name of the attribute which value should be substituted with {2} above + userroleattribute: null + # Roles as an attribute of the user entry + userrolename: disabled + #userrolename: memberOf + # The attribute in a role entry containing the name of that role, Default is "name". + # Can also be "dn" to use the full DN as rolename. + rolename: cn + # Resolve nested roles transitive (roles which are members of other roles and so on ...) + resolve_nested_roles: true + userbase: 'ou=people,dc=example,dc=com' + # Filter to search for users (currently in the whole subtree beneath userbase) + # {0} is substituted with the username + usersearch: '(uid={0})' + # Skip users matching a user name, a wildcard or a regex pattern + #skip_users: + # - 'cn=Michael Jackson,ou*people,o=TEST' + # - '/\S*/' + roles_from_another_ldap: + description: "Authorize via another Active Directory" + http_enabled: false + transport_enabled: false + authorization_backend: + type: ldap + internal_users.yml: | + _meta: + type: "internalusers" + config_version: 2 + + # Define your internal users here + + ## Demo users + + admin: + hash: "$2y$12$mInRGUvSWOGA0fy7yKo9JONK3igEFBAFeka7Cg3jfST0YshDVh4Ty" + reserved: true + backend_roles: + - "admin" + description: "Demo admin user" + + kibanaserver: + hash: "$2y$12$StMZvnD6EauAk6oH2JnJLeSXuFm58r/iwXb7q/9ZyuOK8EVGft6Zi" + reserved: true + description: "Demo OpenSearch Dashboards user" + + kibanaro: + hash: "$2y$12$QrgdT6xLNl.7YzX4YtuGqOlsNxJghLsOrKVfkJT6Bve1u5azUpRVe" + reserved: false + backend_roles: + - "kibanauser" + - "readall" + attributes: + attribute1: "value1" + attribute2: "value2" + attribute3: "value3" + description: "Demo OpenSearch Dashboards read only user" + + logstash: + hash: "$2y$12$zVD7djQ03yRouBCgomHONumeplc90Yc7I9Tj/uv5xHYcjv1EaUPCG" + reserved: false + backend_roles: + - "logstash" + description: "Demo logstash user" + + readall: + hash: "$2y$12$Hb31rXUUmkwEayXA8pWZEeNgdtcYvVTasV0dmxQjX8tOhmSoNeMX." + reserved: false + backend_roles: + - "readall" + description: "Demo readall user" + + snapshotrestore: + hash: "$2y$12$6iH./fJWKLzE8CjKK73J3eNiIC5Mn0oJsc1dVV2LwuNdcxua.Hr66" + reserved: false + backend_roles: + - "snapshotrestore" + description: "Demo snapshotrestore user" + roles.yml: | + _meta: + type: "roles" + config_version: 2 + + # Restrict users so they can only view visualization and dashboard on OpenSearchDashboards + kibana_read_only: + reserved: true + + # The security REST API access role is used to assign specific users access to change the security settings through the REST API. + security_rest_api_access: + reserved: true + + # Allows users to view monitors, destinations and alerts + alerting_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/alerting/alerts/get' + - 'cluster:admin/opendistro/alerting/destination/get' + - 'cluster:admin/opendistro/alerting/destination/email_group/search' + - 'cluster:admin/opendistro/alerting/destination/email_account/search' + - 'cluster:admin/opendistro/alerting/monitor/get' + - 'cluster:admin/opendistro/alerting/monitor/search' + + # Allows users to view and acknowledge alerts + alerting_ack_alerts: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/alerting/alerts/*' + + # Allows users to use all alerting functionality + alerting_full_access: + reserved: true + cluster_permissions: + - 'cluster_monitor' + - 'cluster:admin/opendistro/alerting/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices_monitor' + - 'indices:admin/aliases/get' + - 'indices:admin/mappings/get' + + # Allow users to read Anomaly Detection detectors and results + anomaly_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/ad/detector/info' + - 'cluster:admin/opendistro/ad/detector/search' + - 'cluster:admin/opendistro/ad/detectors/get' + - 'cluster:admin/opendistro/ad/result/search' + - 'cluster:admin/opendistro/ad/tasks/search' + - 'cluster:admin/opendistro/ad/detector/validate' + - 'cluster:admin/opendistro/ad/result/topAnomalies' + + # Allows users to use all Anomaly Detection functionality + anomaly_full_access: + reserved: true + cluster_permissions: + - 'cluster_monitor' + - 'cluster:admin/opendistro/ad/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices_monitor' + - 'indices:admin/aliases/get' + - 'indices:admin/mappings/get' + + # Allows users to read Notebooks + notebooks_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/notebooks/list' + - 'cluster:admin/opendistro/notebooks/get' + + # Allows users to all Notebooks functionality + notebooks_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/notebooks/create' + - 'cluster:admin/opendistro/notebooks/update' + - 'cluster:admin/opendistro/notebooks/delete' + - 'cluster:admin/opendistro/notebooks/get' + - 'cluster:admin/opendistro/notebooks/list' + + # Allows users to read observability objects + observability_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/observability/get' + - 'cluster:admin/opensearch/ppl' + + # Allows users to all Observability functionality + observability_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/observability/create' + - 'cluster:admin/opensearch/observability/update' + - 'cluster:admin/opensearch/observability/delete' + - 'cluster:admin/opensearch/observability/get' + + # Allows users to read and download Reports + reports_instances_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/reports/instance/list' + - 'cluster:admin/opendistro/reports/instance/get' + - 'cluster:admin/opendistro/reports/menu/download' + + # Allows users to read and download Reports and Report-definitions + reports_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/reports/definition/get' + - 'cluster:admin/opendistro/reports/definition/list' + - 'cluster:admin/opendistro/reports/instance/list' + - 'cluster:admin/opendistro/reports/instance/get' + - 'cluster:admin/opendistro/reports/menu/download' + + # Allows users to all Reports functionality + reports_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/reports/definition/create' + - 'cluster:admin/opendistro/reports/definition/update' + - 'cluster:admin/opendistro/reports/definition/on_demand' + - 'cluster:admin/opendistro/reports/definition/delete' + - 'cluster:admin/opendistro/reports/definition/get' + - 'cluster:admin/opendistro/reports/definition/list' + - 'cluster:admin/opendistro/reports/instance/list' + - 'cluster:admin/opendistro/reports/instance/get' + - 'cluster:admin/opendistro/reports/menu/download' + + # Allows users to use all asynchronous-search functionality + asynchronous_search_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/asynchronous_search/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:data/read/search*' + + # Allows users to read stored asynchronous-search results + asynchronous_search_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/asynchronous_search/get' + + # Allows user to use all index_management actions - ism policies, rollups, transforms + index_management_full_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/ism/*" + - "cluster:admin/opendistro/rollup/*" + - "cluster:admin/opendistro/transform/*" + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:admin/opensearch/ism/*' + + # Allows users to use all cross cluster replication functionality at leader cluster + cross_cluster_replication_leader_full_access: + reserved: true + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - "indices:admin/plugins/replication/index/setup/validate" + - "indices:data/read/plugins/replication/changes" + - "indices:data/read/plugins/replication/file_chunk" + + # Allows users to use all cross cluster replication functionality at follower cluster + cross_cluster_replication_follower_full_access: + reserved: true + cluster_permissions: + - "cluster:admin/plugins/replication/autofollow/update" + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - "indices:admin/plugins/replication/index/setup/validate" + - "indices:data/write/plugins/replication/changes" + - "indices:admin/plugins/replication/index/start" + - "indices:admin/plugins/replication/index/pause" + - "indices:admin/plugins/replication/index/resume" + - "indices:admin/plugins/replication/index/stop" + - "indices:admin/plugins/replication/index/update" + - "indices:admin/plugins/replication/index/status_check" + + # Allow users to read ML stats/models/tasks + ml_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/openserach/ml/stats' + - 'cluster:admin/opensearch/ml/models/get' + - 'cluster:admin/opensearch/ml/models/search' + - 'cluster:admin/opensearch/ml/tasks/get' + - 'cluster:admin/opensearch/ml/tasks/search' + + # Allows users to read Notifications config/channels + notifications_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/notifications/configs/get' + - 'cluster:admin/opensearch/notifications/features' + - 'cluster:admin/opensearch/notifications/channels/get' + + # Allows users to see snapshots, repositories, and snapshot management policies + snapshot_management_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/snapshot_management/policy/get' + - 'cluster:admin/opensearch/snapshot_management/policy/search' + - 'cluster:admin/opensearch/snapshot_management/policy/explain' + - 'cluster:admin/repository/get' + - 'cluster:admin/snapshot/get' + + # Allows users to use all ML functionality + ml_full_access: + reserved: true + cluster_permissions: + - 'cluster_monitor' + - 'cluster:admin/opensearch/ml/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices_monitor' + + # Anonymous access role + opendistro_security_anonymous_role: + reserved: true + cluster_permissions: + # For using _cat/indices + - 'cluster:monitor/state' + - 'cluster:monitor/health' + - 'cluster:monitor/nodes/info' + # To enable read access to ISM + - cluster:admin/opendistro/ism/policy/search + - cluster:admin/opendistro/ism/managedindex/explain + - cluster:admin/opendistro/rollup/search + - cluster:admin/opendistro/transform/get_transforms + # To enable read access ml profile + - cluster:admin/opensearch/ml/profile/nodes + # For ML + - cluster:admin/opensearch/ml/trainAndPredict + # To enable read access to various ISM Jobs + - cluster:admin/opendistro/rollup/explain + - cluster:admin/opendistro/ism/policy/get + - cluster:admin/opendistro/rollup/get + - cluster:admin/opendistro/transform/explain + - cluster:admin/opendistro/transform/get + # To enable read access to security analytics + - cluster:admin/opensearch/securityanalytics/rule/search + - cluster:admin/opensearch/securityanalytics/detector/search + - cluster:admin/opensearch/securityanalytics/findings/get + - cluster:admin/opensearch/securityanalytics/alerts/get + - cluster:admin/opensearch/securityanalytics/detector/get + - cluster:admin/opensearch/securityanalytics/logtype/search + # For using sql join query + - "indices:data/read/scroll*" + index_permissions: + - index_patterns: + - ".kibana" + - ".kibana-6" + - ".kibana_*" + - ".opensearch_dashboards" + - ".opensearch_dashboards-6" + - ".opensearch_dashboards_*" + allowed_actions: + - "read" + - index_patterns: + - ".tasks" + - ".management-beats" + - "*:.tasks" + - "*:.management-beats" + allowed_actions: + - "read" + - index_patterns: + - 'opensearch_dashboards_sample_data_logs' + - 'opensearch_dashboards_sample_data_flights' + - 'opensearch_dashboards_sample_data_ecommerce' + allowed_actions: + - "read" + - index_patterns: + - '*' + allowed_actions: + - "read" + - "indices:data/read/mget" + - "indices:data/read/msearch" + - "indices:data/read/mtv" + - "indices:admin/get" + - "indices:admin/aliases/exists*" + - "indices:admin/aliases/get*" + - "indices:admin/mappings/get" + - "indices:data/read/scroll" + - "indices:monitor/settings/get" + - "indices:monitor/stats" + tenant_permissions: + - tenant_patterns: + - '*' + allowed_actions: + - "kibana_all_read" + + # Google users access role + google_users_role: + reserved: true + cluster_permissions: + # For using _cat/indices + - 'cluster:monitor/state' + - 'cluster:monitor/health' + - 'cluster:monitor/nodes/info' + # For script + - 'cluster:admin/script/put' + # To enable read access to ISM + - cluster:admin/opendistro/ism/policy/search + - cluster:admin/opendistro/ism/managedindex/explain + - cluster:admin/opendistro/rollup/search + - cluster:admin/opendistro/transform/get_transforms + # To enable read access to various ISM Jobs + - cluster:admin/opendistro/rollup/explain + - cluster:admin/opendistro/ism/policy/get + - cluster:admin/opendistro/rollup/get + - cluster:admin/opendistro/transform/explain + - cluster:admin/opendistro/transform/get + # To enable read access to security analytics + - cluster:admin/opensearch/securityanalytics/rule/search + - cluster:admin/opensearch/securityanalytics/detector/search + - cluster:admin/opensearch/securityanalytics/findings/get + - cluster:admin/opensearch/securityanalytics/alerts/get + - cluster:admin/opensearch/securityanalytics/detector/get + # For using sql join query + - "indices:data/read/scroll*" + # For Observability sample + - cluster:admin/opensearch/observability/create + - cluster:admin/opensearch/observability/update + - cluster:admin/opensearch/observability/get + # For ML + - cluster:admin/opensearch/ml/trainAndPredict + index_permissions: + - index_patterns: + - ".kibana" + - ".kibana-6" + - ".kibana_*" + - ".opensearch_dashboards" + - ".opensearch_dashboards-6" + - ".opensearch_dashboards_*" + allowed_actions: + - "read" + - index_patterns: + - ".tasks" + - ".management-beats" + - "*:.tasks" + - "*:.management-beats" + allowed_actions: + - "read" + - index_patterns: + - 'opensearch_dashboards_sample_data_logs' + - 'opensearch_dashboards_sample_data_flights' + - 'opensearch_dashboards_sample_data_ecommerce' + allowed_actions: + - "*" + - index_patterns: + - '*' + allowed_actions: + - "read" + - "indices:data/read/mget" + - "indices:data/read/msearch" + - "indices:data/read/mtv" + - "indices:data/write*" + - "indices:admin/create" + - 'indices:admin/analyze' + - "indices:admin/get" + - "indices:admin/aliases/exists*" + - "indices:admin/aliases/get*" + - "indices:admin/mappings/get" + - "indices:monitor/settings/get" + - "indices:monitor/stats" + tenant_permissions: + - tenant_patterns: + - '*' + allowed_actions: + - "kibana_all_read" + roles_mapping.yml: | + _meta: + type: "rolesmapping" + config_version: 2 + + # Define your roles mapping here + google_users_role: + backend_roles: + - "kibanauser" + users: + - "*@gmail.com" + + opendistro_security_anonymous_role: + backend_roles: + - "opendistro_security_anonymous_backendrole" + + alerting_read_access: + backend_roles: + - "opendistro_security_anonymous_backendrole" + users: + - "*@gmail.com" + + anomaly_read_access: + backend_roles: + - "opendistro_security_anonymous_backendrole" + users: + - "*@gmail.com" + + notebooks_read_access: + backend_roles: + - "opendistro_security_anonymous_backendrole" + users: + - "*@gmail.com" + + observability_read_access: + backend_roles: + - "opendistro_security_anonymous_backendrole" + users: + - "*@gmail.com" + + reports_instances_read_access: + backend_roles: + - "opendistro_security_anonymous_backendrole" + users: + - "*@gmail.com" + + reports_read_access: + backend_roles: + - "opendistro_security_anonymous_backendrole" + users: + - "*@gmail.com" + + asynchronous_search_read_access: + backend_roles: + - "opendistro_security_anonymous_backendrole" + users: + - "*@gmail.com" + + ml_read_access: + backend_roles: + - "opendistro_security_anonymous_backendrole" + users: + - "*@gmail.com" + + notifications_read_access: + backend_roles: + - "opendistro_security_anonymous_backendrole" + users: + - "*@gmail.com" + + snapshot_management_read_access: + backend_roles: + - "opendistro_security_anonymous_backendrole" + users: + - "*@gmail.com" + + ## Demo roles mapping + + all_access: + reserved: false + backend_roles: + - "admin" + description: "Maps admin to all_access" + + own_index: + reserved: false + users: + - "*" + description: "Allow full access to an index named like the username" + + logstash: + reserved: false + backend_roles: + - "logstash" + + kibana_user: + reserved: false + backend_roles: + - "kibanauser" + description: "Maps kibanauser to kibana_user" + + readall: + reserved: false + backend_roles: + - "readall" + + manage_snapshots: + reserved: false + backend_roles: + - "snapshotrestore" + + kibana_server: + reserved: true + users: + - "kibanaserver" + + action_groups.yml: | + _meta: + type: "actiongroups" + config_version: 2 + tenants.yml: | + _meta: + type: "tenants" + config_version: 2 + + # Define your tenants here + + ## Demo tenants + # Demo: + # reserved: false + # description: "Demo tenant for admin user" + whitelist.yml: | + config: + enabled: false + requests: + /_cluster/settings: + - GET + /_cat/nodes: + - GET + nodes_dn.yml: | + _meta: + type: "nodesdn" + config_version: 2 + opensearch-cluster: + nodes_dn: + - CN=node1.dns.a-record + audit.yml: | + _meta: + type: "audit" + config_version: 2 + + config: + # enable/disable audit logging + enabled: true + + audit: + # Enable/disable REST API auditing + enable_rest: true + + # Categories to exclude from REST API auditing + disabled_rest_categories: + - AUTHENTICATED + - GRANTED_PRIVILEGES + + # Enable/disable Transport API auditing + enable_transport: true + + # Categories to exclude from Transport API auditing + disabled_transport_categories: + - AUTHENTICATED + - GRANTED_PRIVILEGES + + # Users to be excluded from auditing. Wildcard patterns are supported. Eg: + # ignore_users: ["test-user", "employee-*"] + ignore_users: + - kibanaserver + + # Requests to be excluded from auditing. Wildcard patterns are supported. Eg: + # ignore_requests: ["indices:data/read/*", "SearchRequest"] + ignore_requests: [] + + # Log individual operations in a bulk request + resolve_bulk_requests: false + + # Include the body of the request (if available) for both REST and the transport layer + log_request_body: true + + # Logs all indices affected by a request. Resolves aliases and wildcards/date patterns + resolve_indices: true + + # Exclude sensitive headers from being included in the logs. Eg: Authorization + exclude_sensitive_headers: true + + compliance: + # enable/disable compliance + enabled: true + + # Log updates to internal security changes + internal_config: true + + # Log external config files for the node + external_config: false + + # Log only metadata of the document for read events + read_metadata_only: true + + # Map of indexes and fields to monitor for read events. Wildcard patterns are supported for both index names and fields. Eg: + # read_watched_fields: { + # "twitter": ["message"] + # "logs-*": ["id", "attr*"] + # } + read_watched_fields: {} + + # List of users to ignore for read events. Wildcard patterns are supported. Eg: + # read_ignore_users: ["test-user", "employee-*"] + read_ignore_users: + - kibanaserver + + # Log only metadata of the document for write events + write_metadata_only: true + + # Log only diffs for document updates + write_log_diffs: false + + # List of indices to watch for write events. Wildcard patterns are supported + # write_watched_indices: ["twitter", "logs-*"] + write_watched_indices: [] + + # List of users to ignore for write events. Wildcard patterns are supported. Eg: + # write_ignore_users: ["test-user", "employee-*"] + write_ignore_users: + - kibanaserver + +# How long to wait for opensearch to stop gracefully +terminationGracePeriod: 120 + +sysctlVmMaxMapCount: 262144 + +readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 2000 + +## Use an alternate scheduler. +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" + +imagePullSecrets: [] +nodeSelector: {} +tolerations: [] + +# Enabling this will publically expose your OpenSearch instance. +# Only enable this if you have security enabled on your cluster +ingress: + enabled: false + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + + annotations: {} + + path: / + hosts: + - chart-example.local + tls: [] + + +nameOverride: "" +fullnameOverride: "" + +masterTerminationFix: false + +lifecycle: {} + +keystore: [] + +networkPolicy: + ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. + ## In order for a Pod to access OpenSearch, it needs to have the following label: + ## {{ template "uname" . }}-client: "true" + http: + enabled: false + +# Deprecated +# please use the above podSecurityContext.fsGroup instead +fsGroup: "" + +## Set optimal sysctl's. This requires privilege. Can be disabled if +## the system has already been preconfigured. (Ex: https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html) +## Also see: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ +sysctl: + enabled: false + +## Enable to add 3rd Party / Custom plugins not offered in the default OpenSearch image. +plugins: + enabled: false + installList: [] diff --git a/kubernetes/ssm_daemonset.yaml b/kubernetes/ssm_daemonset.yaml new file mode 100644 index 0000000000..267519af1f --- /dev/null +++ b/kubernetes/ssm_daemonset.yaml @@ -0,0 +1,42 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + k8s-app: ssm-installer + name: ssm-installer + namespace: kube-system +spec: + selector: + matchLabels: + k8s-app: ssm-installer + template: + metadata: + labels: + k8s-app: ssm-installer + spec: + containers: + - name: sleeper + image: busybox + command: ['sh', '-c', 'echo I keep things running! && sleep 3600'] + initContainers: + - image: amazonlinux + imagePullPolicy: Always + name: ssm + command: ["/bin/bash"] + args: ["-c","echo '* * * * * root yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm & rm -rf /etc/cron.d/ssmstart' > /etc/cron.d/ssmstart"] + securityContext: + allowPrivilegeEscalation: true + volumeMounts: + - mountPath: /etc/cron.d + name: cronfile + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumes: + - name: cronfile + hostPath: + path: /etc/cron.d + type: Directory + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + terminationGracePeriodSeconds: 30